Skip to content

Security hardening: remove command injection paths and tighten input/memory validation#1

Merged
Z3R0space merged 1 commit into
Z3R0space:mainfrom
Zer0plusOne:fix/security-hardening-and-input-validation
May 28, 2026
Merged

Security hardening: remove command injection paths and tighten input/memory validation#1
Z3R0space merged 1 commit into
Z3R0space:mainfrom
Zer0plusOne:fix/security-hardening-and-input-validation

Conversation

@Zer0plusOne
Copy link
Copy Markdown
Contributor

@Zer0plusOne Zer0plusOne commented May 27, 2026

Summary

This PR addresses multiple security issues in the scanner implementation and decoy pipeline.

Security fixes included

  1. Removed command-injection paths in ARP resolution

    • Replaced shell-based system() / popen() calls with safe parsing of /proc/net/arp.
    • Added structured MAC parsing without shell execution.

  2. Validated target IPv4 input

    • Added inet_pton-based validation for:
      • direct CLI target input
      • targets loaded from --file
    • Invalid targets are rejected/skipped safely.

  3. Hardened realloc handling in decoy write callback

    • Switched to temporary pointer pattern.
    • Abort callback cleanly on allocation failure.

  4. Improved error handling in init_decoy_ips

    • Added checks for curl_easy_init, JSON parse result, and expected JSON fields.
    • Added consistent cleanup on all error paths.

  5. Validated CIDR prefix bounds

    • Added guard for prefix range 0..32 before mask operations.

  6. Removed API key from source code

    • Replaced compile-time key usage with environment-variable based lookup (SHODAN_API_KEY).
    • Updated README accordingly.

Impact

These changes reduce RCE risk from untrusted input, prevent memory-safety issues on allocation failures, and eliminate secret exposure in source code.

Notes

  • Functional behavior is preserved for normal valid inputs.
  • --shodan now requires SHODAN_API_KEY to be set in the environment.

@Zer0plusOne
Harden input handling and remove command injection paths
51e69cb 
- Remove shell-based ARP resolution and parse /proc/net/arp safely

- Validate IPv4 targets from CLI and target files

- Guard realloc and JSON/cURL error paths in decoy initialization

- Validate CIDR prefix bounds before expansion

- Move Shodan API key usage to environment variable
@Z3R0space Z3R0space merged commit 7b979a5 into Z3R0space:main May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Zer0plusOne @Z3R0space